Eugene Crosser <crosser@xxxxxxxxxxx> wrote:
> > +static void vrf_nf_set_untracked(struct sk_buff *skb)
> > +{
> > + if (skb_get_nfct(skb) == 0)
> > + nf_ct_set(skb, 0, IP_CT_UNTRACKED);
> > +}
> > +
> > +static void vrf_nf_reset_ct(struct sk_buff *skb)
> > +{
> > + if (skb_get_nfct(skb) == IP_CT_UNTRACKED)
> > + nf_reset_ct(skb);
> > +}
> > +
>
> Isn't it possible that skb was marked UNTRACKED before entering this path, by a
> rule?
I don't think so, it should be called before any ruleset evaluation has
taken place.
> In such case 'set_untrackd' will do nothing, but 'reset_ct' will clear
> UNTRACKED status that was set elswhere. It seems wrong, am I missing something?
No, thats the catch. I can't find a better option.
I can add a patch to disable all of the NF_HOOK() invocations from vrf
which removes the ability to filter on vrf interface names.
The option to add a caller_id to nf_hook_state struct (so conntrack/nat
can detect when they are called from the vrf hooks) either needs
copypastry of entire NF_HOOK* inline functions into vrf (so the 'is-vrf'
flag can be enabled) or yet another argument to NF_HOOK().
It also leaks even more 'is vrf' checks into conntrack.
